| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/core/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <memory> | 10 #include <memory> |
| (...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 454 } | 454 } |
| 455 | 455 |
| 456 requested_config = GetConfigWithScid(requested_scid); | 456 requested_config = GetConfigWithScid(requested_scid); |
| 457 primary_config = primary_config_; | 457 primary_config = primary_config_; |
| 458 signed_config->config = primary_config_; | 458 signed_config->config = primary_config_; |
| 459 } | 459 } |
| 460 | 460 |
| 461 if (result->error_code == QUIC_NO_ERROR) { | 461 if (result->error_code == QUIC_NO_ERROR) { |
| 462 // QUIC requires a new proof for each CHLO so clear any existing proof. | 462 // QUIC requires a new proof for each CHLO so clear any existing proof. |
| 463 signed_config->chain = nullptr; | 463 signed_config->chain = nullptr; |
| 464 signed_config->signature = ""; | 464 signed_config->proof.signature = ""; |
| 465 signed_config->cert_sct = ""; | 465 signed_config->proof.leaf_cert_scts = ""; |
| 466 EvaluateClientHello(server_ip, version, requested_config, primary_config, | 466 EvaluateClientHello(server_ip, version, requested_config, primary_config, |
| 467 signed_config, result, std::move(done_cb)); | 467 signed_config, result, std::move(done_cb)); |
| 468 } else { | 468 } else { |
| 469 done_cb->Run(result, /* details = */ nullptr); | 469 done_cb->Run(result, /* details = */ nullptr); |
| 470 } | 470 } |
| 471 } | 471 } |
| 472 | 472 |
| 473 class ProcessClientHelloHelper { | 473 class ProcessClientHelloHelper { |
| 474 public: | 474 public: |
| 475 explicit ProcessClientHelloHelper( | 475 explicit ProcessClientHelloHelper( |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 547 requested_config_(requested_config), | 547 requested_config_(requested_config), |
| 548 primary_config_(primary_config), | 548 primary_config_(primary_config), |
| 549 done_cb_(std::move(done_cb)) {} | 549 done_cb_(std::move(done_cb)) {} |
| 550 | 550 |
| 551 void Run(bool ok, | 551 void Run(bool ok, |
| 552 const scoped_refptr<ProofSource::Chain>& chain, | 552 const scoped_refptr<ProofSource::Chain>& chain, |
| 553 const QuicCryptoProof& proof, | 553 const QuicCryptoProof& proof, |
| 554 std::unique_ptr<ProofSource::Details> details) override { | 554 std::unique_ptr<ProofSource::Details> details) override { |
| 555 if (ok) { | 555 if (ok) { |
| 556 signed_config_->chain = chain; | 556 signed_config_->chain = chain; |
| 557 signed_config_->signature = proof.signature; | 557 signed_config_->proof = proof; |
| 558 signed_config_->cert_sct = proof.leaf_cert_scts; | |
| 559 signed_config_->send_expect_ct_header = proof.send_expect_ct_header; | |
| 560 } | 558 } |
| 561 config_->ProcessClientHelloAfterGetProof( | 559 config_->ProcessClientHelloAfterGetProof( |
| 562 !ok, std::move(details), *validate_chlo_result_, reject_only_, | 560 !ok, std::move(details), *validate_chlo_result_, reject_only_, |
| 563 connection_id_, client_address_, version_, supported_versions_, | 561 connection_id_, client_address_, version_, supported_versions_, |
| 564 use_stateless_rejects_, server_designated_connection_id_, clock_, rand_, | 562 use_stateless_rejects_, server_designated_connection_id_, clock_, rand_, |
| 565 compressed_certs_cache_, params_, signed_config_, | 563 compressed_certs_cache_, params_, signed_config_, |
| 566 total_framing_overhead_, chlo_packet_size_, requested_config_, | 564 total_framing_overhead_, chlo_packet_size_, requested_config_, |
| 567 primary_config_, std::move(done_cb_)); | 565 primary_config_, std::move(done_cb_)); |
| 568 } | 566 } |
| 569 | 567 |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 695 } | 693 } |
| 696 | 694 |
| 697 QuicCryptoProof proof; | 695 QuicCryptoProof proof; |
| 698 if (!proof_source_->GetProof(server_ip, info.sni.as_string(), | 696 if (!proof_source_->GetProof(server_ip, info.sni.as_string(), |
| 699 primary_config->serialized, version, chlo_hash, | 697 primary_config->serialized, version, chlo_hash, |
| 700 connection_options, &signed_config->chain, | 698 connection_options, &signed_config->chain, |
| 701 &proof)) { | 699 &proof)) { |
| 702 helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof."); | 700 helper.Fail(QUIC_HANDSHAKE_FAILED, "Missing or invalid crypto proof."); |
| 703 return; | 701 return; |
| 704 } | 702 } |
| 705 signed_config->signature = proof.signature; | 703 signed_config->proof = proof; |
| 706 signed_config->cert_sct = proof.leaf_cert_scts; | |
| 707 } | 704 } |
| 708 | 705 |
| 709 helper.DetachCallback(); | 706 helper.DetachCallback(); |
| 710 ProcessClientHelloAfterGetProof( | 707 ProcessClientHelloAfterGetProof( |
| 711 /* found_error = */ false, /* proof_source_details = */ nullptr, | 708 /* found_error = */ false, /* proof_source_details = */ nullptr, |
| 712 *validate_chlo_result, reject_only, connection_id, client_address, | 709 *validate_chlo_result, reject_only, connection_id, client_address, |
| 713 version, supported_versions, use_stateless_rejects, | 710 version, supported_versions, use_stateless_rejects, |
| 714 server_designated_connection_id, clock, rand, compressed_certs_cache, | 711 server_designated_connection_id, clock, rand, compressed_certs_cache, |
| 715 params, signed_config, total_framing_overhead, chlo_packet_size, | 712 params, signed_config, total_framing_overhead, chlo_packet_size, |
| 716 requested_config, primary_config, std::move(done_cb)); | 713 requested_config, primary_config, std::move(done_cb)); |
| (...skipping 424 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1141 signed_config_(signed_config), | 1138 signed_config_(signed_config), |
| 1142 client_hello_state_(std::move(client_hello_state)), | 1139 client_hello_state_(std::move(client_hello_state)), |
| 1143 done_cb_(std::move(done_cb)) {} | 1140 done_cb_(std::move(done_cb)) {} |
| 1144 | 1141 |
| 1145 void Run(bool ok, | 1142 void Run(bool ok, |
| 1146 const scoped_refptr<ProofSource::Chain>& chain, | 1143 const scoped_refptr<ProofSource::Chain>& chain, |
| 1147 const QuicCryptoProof& proof, | 1144 const QuicCryptoProof& proof, |
| 1148 std::unique_ptr<ProofSource::Details> details) override { | 1145 std::unique_ptr<ProofSource::Details> details) override { |
| 1149 if (ok) { | 1146 if (ok) { |
| 1150 signed_config_->chain = chain; | 1147 signed_config_->chain = chain; |
| 1151 signed_config_->signature = proof.signature; | 1148 signed_config_->proof = proof; |
| 1152 signed_config_->cert_sct = proof.leaf_cert_scts; | |
| 1153 signed_config_->send_expect_ct_header = proof.send_expect_ct_header; | |
| 1154 } | 1149 } |
| 1155 config_.EvaluateClientHelloAfterGetProof( | 1150 config_.EvaluateClientHelloAfterGetProof( |
| 1156 found_error_, server_ip_, version_, requested_config_, primary_config_, | 1151 found_error_, server_ip_, version_, requested_config_, primary_config_, |
| 1157 signed_config_, std::move(details), !ok, client_hello_state_, | 1152 signed_config_, std::move(details), !ok, client_hello_state_, |
| 1158 std::move(done_cb_)); | 1153 std::move(done_cb_)); |
| 1159 } | 1154 } |
| 1160 | 1155 |
| 1161 private: | 1156 private: |
| 1162 const QuicCryptoServerConfig& config_; | 1157 const QuicCryptoServerConfig& config_; |
| 1163 const bool found_error_; | 1158 const bool found_error_; |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1271 } | 1266 } |
| 1272 } | 1267 } |
| 1273 | 1268 |
| 1274 // No need to get a new proof if one was already generated. | 1269 // No need to get a new proof if one was already generated. |
| 1275 if (need_proof) { | 1270 if (need_proof) { |
| 1276 QuicCryptoProof proof; | 1271 QuicCryptoProof proof; |
| 1277 | 1272 |
| 1278 if (proof_source_->GetProof( | 1273 if (proof_source_->GetProof( |
| 1279 server_ip, info->sni.as_string(), serialized_config, version, | 1274 server_ip, info->sni.as_string(), serialized_config, version, |
| 1280 chlo_hash, connection_options, &signed_config->chain, &proof)) { | 1275 chlo_hash, connection_options, &signed_config->chain, &proof)) { |
| 1281 signed_config->signature = proof.signature; | 1276 signed_config->proof = proof; |
| 1282 signed_config->cert_sct = proof.leaf_cert_scts; | |
| 1283 } else { | 1277 } else { |
| 1284 get_proof_failed = true; | 1278 get_proof_failed = true; |
| 1285 } | 1279 } |
| 1286 } | 1280 } |
| 1287 | 1281 |
| 1288 // Details are null because the synchronous version of GetProof does not | 1282 // Details are null because the synchronous version of GetProof does not |
| 1289 // return any stats. Eventually the synchronous codepath will be eliminated. | 1283 // return any stats. Eventually the synchronous codepath will be eliminated. |
| 1290 EvaluateClientHelloAfterGetProof( | 1284 EvaluateClientHelloAfterGetProof( |
| 1291 found_error, server_ip, version, requested_config, primary_config, | 1285 found_error, server_ip, version, requested_config, primary_config, |
| 1292 signed_config, nullptr /* proof_source_details */, get_proof_failed, | 1286 signed_config, nullptr /* proof_source_details */, get_proof_failed, |
| (...skipping 289 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1582 // max_unverified_size is the number of bytes that the certificate chain, | 1576 // max_unverified_size is the number of bytes that the certificate chain, |
| 1583 // signature, and (optionally) signed certificate timestamp can consume before | 1577 // signature, and (optionally) signed certificate timestamp can consume before |
| 1584 // we will demand a valid source-address token. | 1578 // we will demand a valid source-address token. |
| 1585 const size_t max_unverified_size = | 1579 const size_t max_unverified_size = |
| 1586 chlo_multiplier_ * (chlo_packet_size - total_framing_overhead) - | 1580 chlo_multiplier_ * (chlo_packet_size - total_framing_overhead) - |
| 1587 kREJOverheadBytes; | 1581 kREJOverheadBytes; |
| 1588 static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes, | 1582 static_assert(kClientHelloMinimumSize * kMultiplier >= kREJOverheadBytes, |
| 1589 "overhead calculation may underflow"); | 1583 "overhead calculation may underflow"); |
| 1590 bool should_return_sct = | 1584 bool should_return_sct = |
| 1591 params->sct_supported_by_client && enable_serving_sct_; | 1585 params->sct_supported_by_client && enable_serving_sct_; |
| 1592 const size_t sct_size = should_return_sct ? signed_config.cert_sct.size() : 0; | 1586 const string& cert_sct = signed_config.proof.leaf_cert_scts; |
| 1587 const size_t sct_size = should_return_sct ? cert_sct.size() : 0; |
| 1593 const size_t total_size = | 1588 const size_t total_size = |
| 1594 signed_config.signature.size() + compressed.size() + sct_size; | 1589 signed_config.proof.signature.size() + compressed.size() + sct_size; |
| 1595 if (info.valid_source_address_token || total_size < max_unverified_size) { | 1590 if (info.valid_source_address_token || total_size < max_unverified_size) { |
| 1596 out->SetStringPiece(kCertificateTag, compressed); | 1591 out->SetStringPiece(kCertificateTag, compressed); |
| 1597 out->SetStringPiece(kPROF, signed_config.signature); | 1592 out->SetStringPiece(kPROF, signed_config.proof.signature); |
| 1598 if (should_return_sct) { | 1593 if (should_return_sct) { |
| 1599 if (signed_config.cert_sct.empty()) { | 1594 if (cert_sct.empty()) { |
| 1600 DLOG(WARNING) << "SCT is expected but it is empty."; | 1595 DLOG(WARNING) << "SCT is expected but it is empty."; |
| 1601 } else { | 1596 } else { |
| 1602 out->SetStringPiece(kCertificateSCTTag, signed_config.cert_sct); | 1597 out->SetStringPiece(kCertificateSCTTag, cert_sct); |
| 1603 } | 1598 } |
| 1604 } | 1599 } |
| 1605 } else { | 1600 } else { |
| 1606 DLOG(WARNING) << "Sending inchoate REJ for hostname: " << info.sni | 1601 DLOG(WARNING) << "Sending inchoate REJ for hostname: " << info.sni |
| 1607 << " signature: " << signed_config.signature.size() | 1602 << " signature: " << signed_config.proof.signature.size() |
| 1608 << " cert: " << compressed.size() << " sct:" << sct_size | 1603 << " cert: " << compressed.size() << " sct:" << sct_size |
| 1609 << " total: " << total_size | 1604 << " total: " << total_size |
| 1610 << " max: " << max_unverified_size; | 1605 << " max: " << max_unverified_size; |
| 1611 } | 1606 } |
| 1612 } | 1607 } |
| 1613 | 1608 |
| 1614 string QuicCryptoServerConfig::CompressChain( | 1609 string QuicCryptoServerConfig::CompressChain( |
| 1615 QuicCompressedCertsCache* compressed_certs_cache, | 1610 QuicCompressedCertsCache* compressed_certs_cache, |
| 1616 const scoped_refptr<ProofSource::Chain>& chain, | 1611 const scoped_refptr<ProofSource::Chain>& chain, |
| 1617 const string& client_common_set_hashes, | 1612 const string& client_common_set_hashes, |
| (...skipping 388 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2006 : channel_id_enabled(false), | 2001 : channel_id_enabled(false), |
| 2007 is_primary(false), | 2002 is_primary(false), |
| 2008 primary_time(QuicWallTime::Zero()), | 2003 primary_time(QuicWallTime::Zero()), |
| 2009 expiry_time(QuicWallTime::Zero()), | 2004 expiry_time(QuicWallTime::Zero()), |
| 2010 priority(0), | 2005 priority(0), |
| 2011 source_address_token_boxer(nullptr) {} | 2006 source_address_token_boxer(nullptr) {} |
| 2012 | 2007 |
| 2013 QuicCryptoServerConfig::Config::~Config() { | 2008 QuicCryptoServerConfig::Config::~Config() { |
| 2014 } | 2009 } |
| 2015 | 2010 |
| 2016 QuicSignedServerConfig::QuicSignedServerConfig() | 2011 QuicSignedServerConfig::QuicSignedServerConfig() {} |
| 2017 : send_expect_ct_header(false) {} | |
| 2018 QuicSignedServerConfig::~QuicSignedServerConfig() {} | 2012 QuicSignedServerConfig::~QuicSignedServerConfig() {} |
| 2019 | 2013 |
| 2020 } // namespace net | 2014 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2542993002:
Refactoring: Make QuicSignedServerConfig contain a QuicCryptoProof (Closed)
